4.14-stable patches

added patches:
	rapidio-handle-create_workqueue-failure.patch
	revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch

diff --git a/queue-4.14/rapidio-handle-create_workqueue-failure.patch b/queue-4.14/rapidio-handle-create_workqueue-failure.patch
new file mode 100644 (file)
index 0000000..07d6cf1
--- /dev/null
+++ b/queue-4.14/rapidio-handle-create_workqueue-failure.patch
@@ -0,0 +1,51 @@
+From 69ce3ae36dcb03cdf416b0862a45369ddbf50fdf Mon Sep 17 00:00:00 2001
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+Date: Mon, 3 May 2021 13:57:12 +0200
+Subject: rapidio: handle create_workqueue() failure
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+commit 69ce3ae36dcb03cdf416b0862a45369ddbf50fdf upstream.
+
+In case create_workqueue() fails, release all resources and return -ENOMEM
+to caller to avoid potential NULL pointer deref later. Move up the
+create_workequeue() call to return early and avoid unwinding the call to
+riocm_rx_fill().
+
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Link: https://lore.kernel.org/r/20210503115736.2104747-46-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/rio_cm.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/rapidio/rio_cm.c
++++ b/drivers/rapidio/rio_cm.c
+@@ -2136,6 +2136,14 @@ static int riocm_add_mport(struct device
+               return -ENODEV;
+       }
+ 
++      cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
++      if (!cm->rx_wq) {
++              rio_release_inb_mbox(mport, cmbox);
++              rio_release_outb_mbox(mport, cmbox);
++              kfree(cm);
++              return -ENOMEM;
++      }
++
+       /*
+        * Allocate and register inbound messaging buffers to be ready
+        * to receive channel and system management requests
+@@ -2146,7 +2154,6 @@ static int riocm_add_mport(struct device
+       cm->rx_slots = RIOCM_RX_RING_SIZE;
+       mutex_init(&cm->rx_lock);
+       riocm_rx_fill(cm, RIOCM_RX_RING_SIZE);
+-      cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
+       INIT_WORK(&cm->rx_work, rio_ibmsg_handler);
+ 
+       cm->tx_slot = 0;

diff --git a/queue-4.14/revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch b/queue-4.14/revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
new file mode 100644 (file)
index 0000000..eb4ebdc
--- /dev/null
+++ b/queue-4.14/revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
@@ -0,0 +1,52 @@
+From 5e68b86c7b7c059c0f0ec4bf8adabe63f84a61eb Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 3 May 2021 13:57:11 +0200
+Subject: Revert "rapidio: fix a NULL pointer dereference when create_workqueue() fails"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 5e68b86c7b7c059c0f0ec4bf8adabe63f84a61eb upstream.
+
+This reverts commit 23015b22e47c5409620b1726a677d69e5cd032ba.
+
+Because of recent interactions with developers from @umn.edu, all
+commits from them have been recently re-reviewed to ensure if they were
+correct or not.
+
+Upon review, this commit was found to be incorrect for the reasons
+below, so it must be reverted.  It will be fixed up "correctly" in a
+later kernel change.
+
+The original commit has a memory leak on the error path here, it does
+not clean up everything properly.
+
+Cc: Kangjie Lu <kjlu@umn.edu>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Fixes: 23015b22e47c ("rapidio: fix a NULL pointer dereference when create_workqueue() fails")
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210503115736.2104747-45-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/rio_cm.c |    8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/drivers/rapidio/rio_cm.c
++++ b/drivers/rapidio/rio_cm.c
+@@ -2147,14 +2147,6 @@ static int riocm_add_mport(struct device
+       mutex_init(&cm->rx_lock);
+       riocm_rx_fill(cm, RIOCM_RX_RING_SIZE);
+       cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
+-      if (!cm->rx_wq) {
+-              riocm_error("failed to allocate IBMBOX_%d on %s",
+-                          cmbox, mport->name);
+-              rio_release_outb_mbox(mport, cmbox);
+-              kfree(cm);
+-              return -ENOMEM;
+-      }
+-
+       INIT_WORK(&cm->rx_work, rio_ibmsg_handler);
+ 
+       cm->tx_slot = 0;

diff --git a/queue-4.14/series b/queue-4.14/series
index d0f6501f6e7760246b39d4435da13ac4882ce058..c720699686009250e873c3b91aeb4e1866b4cfc0 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -8,3 +8,5 @@ alsa-usb-audio-validate-ms-endpoint-descriptors.patch
 alsa-bebob-oxfw-fix-kconfig-entry-for-mackie-d.2-pro.patch
 revert-alsa-sb8-add-a-check-for-request_region.patch
 alsa-hda-realtek-reset-eapd-coeff-to-default-value-for-alc287.patch
+revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
+rapidio-handle-create_workqueue-failure.patch